Templates
Classes for constructing an OAA JSON payload (Custom "Application" or "IdP").
Copyright 2022 Veza Technologies Inc.
Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.
Global Variables
PROPERTY_NAME_REGEX
function append_helper
append_helper
Helper function to simplify appending.
Handles multiple cases:
base is None: starts a list
addition is list: extends base with list
addition is anything else: append element to list
Args:
base
(List or None): base list to append to, can be Noneaddition
(*): What to append to the list
Returns:
list
: will always return a list
function unique_strs
unique_strs
Returns a list of unique strings from input list case insensitive
Returns the unique list of strings from input list in a case insensitive manner. For duplicate strings with different cast (e.g. "STRING" and "string") the case of the first occurrence is returned.
Args:
input
(list): list of strings
Returns:
list
: list of unique strings
class OAATemplateException
OAATemplateException
General exception used for violations of the template schema.
method __init__
__init__
class OAAPermission
OAAPermission
Canonical permissions used by Veza Authorization Framework.
Used to describe the raw data or metadata permissions granted by CustomPermission
class OAAIdentityType
OAAIdentityType
Types of identities for permission mapping.
class Provider
Provider
Base class for CustomProvider.
method __init__
__init__
method serialize
serialize
class Application
Application
Base class for CustomApplication.
method __init__
__init__
class CustomApplication
CustomApplication
Class for modeling application authorization using the OAA Application template.
CustomApplication class consists of identities, resources and permissions and produces the OAA JSON payload for the custom application template.
Class uses dictionaries to track most entities that can be referenced after creation. Dictionaries keys are case insensitive of the entity identifier (name or id). This applies to local_users
, local_groups
, local_roles
, idp_identities
, resources
and custom_permissions
.
Args:
name
(str): Name of custom applicationapplication_type
(str): Searchable property, can be unique or shared across multiple applicationsdescription
(str, optional): Description for application. Defaults to None.
Attributes:
application_type
(str): Searchable application typecustom_permissions
(dict[OAAPermission]): Dictionary of class instancesdescription
(str): Description for applicationidentity_to_permissions
(dict): Mapping of authorizations for identities to resourcesidp_identities
(dict[IdPIdentity]): Contains federated identities without a corresponding local accountlocal_groups
(dict[LocalGroup]): Contains application groups (collections of users)local_roles
(dict[LocalRole]): Contains application roles (collections of permissions)local_users
(dict[LocalUser]): Contains users local to the application and their propertiesname
(str): Name of custom applicationproperties
(dict): key value pairs of property values, property keys must be defined as part of the property_definitionsproperty_definitions
(ApplicationPropertyDefinitions): Custom property names and types for the applicationresources
(dict[CustomResource]): Contains data resources and subresources within the application
method __init__
__init__
method add_access
add_access
Legacy method for backwards compatibility.
.. deprecated:
Create a new custom permission.
Creates a new CustomPermission
object for the application that can be used to authorize identities to the application, resources/sub-resource or as part of a role.
Args:
name
(str): Name of the permissionpermissions
(list[OAAPermission]): Canonical permissions the custom permission representsapply_to_sub_resources
(bool, optional): If true, when permission is applied to the application or resource, identity also has permission to all children of application/resource. Defaults to False.resource_types
(list, optional): List of resource types as strings that the permission relates to. Defaults to empty list.
Returns: CustomPermission
method add_idp_identity
add_idp_identity
Create an IdP principal identity.
IdP users and groups can be authorized directly to applications and resources by associating custom application permissions and roles with an IdP identity's name or email.
Args:
name
(str): IdP unique identifier for user or group.
Returns: IdPIdentity
method add_local_group
add_local_group
Create a new local group.
Groups can be associated to resources via permissions or roles. All users in the local group are granted the group's authorization.
Local groups will be identified by name
by default, if unique_id
is provided it will be used as the identifier instead
Local groups can be referenced after creation using .local_groups
dictionary attribute. Dictionary is case insensitive keyed by unique_id or name if not using unique_id.
Args:
name
(str): Display name for groupidentities
(list): List of IdP identities to associate group with.unique_id
(str, optional): Unique identifier for group for reference by ID
Returns: LocalGroup
method add_local_role
add_local_role
Create a new local role.
A local role represents a collection of permissions.
Identities (local user, group, idp user) can be assigned a role to the application or resource, granting the role's permissions.
Local roles will be identified by
name
by default, ifunique_id
is provided it will be used as the identifier instead.Local roles can be referenced after creation if needed through
.local_roles
case insensitive dictionary attribute.When a permission that has
resource_types
is added to a role, it will only apply to resources with a matchingresource_type
Args:
name
(str): Display name for rolepermissions
(list): List of Custom Permission names to include in role.CustomPermission
must be created separately.unique_id
(str, optional): Unique identifier for role for reference by ID
Returns: LocalRole
method add_local_user
add_local_user
Create a new local user for application.
Local users can be assigned to groups and associated with resources via permissions or roles. Groups and identities can be provided at creation or added later. See Identity
and LocalUser
class for operations.
Local users will be identified by name
by default, if unique_id
is provided it will be used as the identifier instead.
Local users can be referenced after creation using the .local_users
dictionary attribute. Dictionary is case insensitivekeyed by unique_id or name if not using unique_id.
Use unique_id
when name is not guaranteed to be unique. All permission, group and role assignments will be referenced by unique_id.
Args:
name
(str): Display name for useridentities
(list): List of identities as strings (usually email) for local user. Used to map local user to discovered IdP identities.groups
(list[LocalGroup]): List of group names (as string) to add user tounique_id
(str, optional): Unique identifier for user for reference by ID
Returns: LocalUser
method add_resource
add_resource
Create a new resource under the application.
Resource type is used to group and filter application resources. It should be consistent for all common resources of an application.
Returns new resource object.
Resource is identified by name
by default unless unique_id
is provided. name
must be unique if not using unique_id
.
Resources can be referenced after creation using the .resources
dictionary attribute. Dictionary is keyed by unique_id or name if not using unique_id. Use unique_id
when name is not guaranteed to be unique.
Args:
name
(str): Name of resourcesresource_type
(str): Type for resourcedescription
(str, optional): Description of resources. Defaults to None.unique_id
(str, optional): Unique identifier for resource. defaults to None.
Returns: CustomResource
method add_tag
add_tag
Add a tag to the Application
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method app_dict
app_dict
Return the 'applications' section of the payload as serializable dictionary.
method define_custom_permission
define_custom_permission
Add a custom permission to the application.
.. deprecated: ``` See CustomApplication.add_custom_permission()
Collect authorizations for all identities into a single list.
method get_payload
get_payload
Get the OAA payload.
Returns the complete OAA template payload for application as serializable dictionary
Returns:
dict
: OAA payload as dictionary
method permissions_dict
permissions_dict
Return the 'permissions' section of the payload as serializable dictionary.
method set_property
set_property
Set a custom property value for the application.
Property name must be defined for CustomApplication
before calling set_property. See example below and ApplicationPropertyDefinitions.define_application_property
for more information on defining properties.
Args:
property_name
(str): Name of property to set value for, property names must be defined as part of the application property_definitionsproperty_value
(Any): Value for property, type should match OAAPropertyType for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.
Raises:
OAATemplateException
: If property name is not defined
Example: app = CustomApplication("App", application_type="example")
>>> app.property_definitions.define_application_property(name="my_property", property_type=OAAPropertyType.STRING) >>> app.set_property("my_property", "property value")
class CustomResource
CustomResource
Class for resources and sub-resources.
Should be used for representing components of the application to which authorization is granted. Each resource has a name and a type. The type can be used for grouping and filtering.
Arguments:
name
(str): display name for resource, must be unique to parent application or resource unless using unique_idresource_type
(str): type for resourcedescription
(str): description for resourceapplication_name
(str): name of parent applicationresource_key
(str, optional): for sub-resources the full unique identifier required foridentity_to_permissions
section. Defaults to name or unique_id if not provided.property_definitions
(ApplicationPropertyDefinitions, optional): Property definitions structure for the resourceunique_id
(str, optional): Optional unique identifier for the resource. Defaults to None.
Attributes:
name
(str): display name for resource, must be unique to parent application or resourceunique_id
(str): resource's unique identifier if provided.resource_type
(str): type for resourceapplication_name
(str): name of parent applicationresource_key
(str): for sub-resources represents the sub-resource's parent pathsub_resources
(dict): dictionary of sub-resources keyed by nameproperties
(dict): dictionary of properties set for resourcetags
(list[Tag]): list of tags
method __init__
__init__
method add_access
add_access
No longer supported, access should be added through identity (local_user, local_group, idp)
method add_resource_connection
add_resource_connection
Add an external connection to the resource.
Used to add a relationship to another entity discovered by Veza such as a service account or AWS IAM role.
Args:
id
(str): Unique identifier for connection entitynode_type
(str): Veza type for connecting node
method add_sub_resource
add_sub_resource
Create a new sub-resource under current resource
Args:
name
(str): display name for resourceresource_type
(str): type for resourcedescription
(str, optional): String description. Defaults to None.unique_id
(str, optional): Unique identifier for new subresource, Defaults toname
.
Returns: CustomResource
method add_tag
add_tag
Add a new tag to resource.
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method set_property
set_property
Set the value for a custom property on a resource or sub-resource.
Property name must be defined for resource type before calling set_property()
. See example below and ApplicationPropertyDefinitions.define_resource_property
for more information on defining properties.
Args:
property_name
(str): Name of property to set value forproperty_value
(Any): Value for property, type should match OAAPropertyType for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.
Raises:
OAATemplateException
: Ifproperty_name
is not defined
Example: app = CustomApplication("App", application_type="example")
>>> app.property_definitions.define_resource_property(resource_type="cog", name="my_property", property_type=OAAPropertyType.STRING) >>> cog1 = app.add_resource(name="cog1", resource_type="cog") >>> cog1.set_property("my_property", "this value")
method to_dict
to_dict
Return the dictionary representation of resource.
class Identity
Identity
Base class for deriving all identity types (should not be used directly).
Args:
name
(str): name of identityidentity_type
(OAAIdentityType): Veza Identity Type (local_user, local_group, idp)unique_id
(str, optional): ID of entity for reference by ID
Attributes:
name
(str): name of identityidentity_type
(OAAIdentityType): Veza Identity Type (local_user, local_group, idp)application_permissions
(list[CustomPermission]): List of permissions identity has directly to custom applicationresource_permissions
(dict): Dictionary of custom permissions associated with resources and sub-resources. Key is permission, value is list of resource keysapplication_roles
(LocalRole): List of roles identity has directly to custom applicationresource_roles
(dict): Dictionary of local_roles for resources and sub-resources. Key is roles, value is list of resource keysproperties
(dict): Dictionary of properties for identity, allowed values will vary by identity typetags
(list[Tag]): List of tags
method __init__
__init__
method add_permission
add_permission
Add a permission to an identity.
Permission can apply to either the application or application resource/sub-resources
Args:
permissions
([str]): List of strings representing the permission namesresource
(CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.apply_to_application
(bool): Apply permission to application when True, defaults to False
method add_role
add_role
Add a role to an identity.
Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.
Role assignment properties can be set with the assignment_properties
dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.
Args:
role
(str): Name of role as stringresources
(List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.apply_to_application
(bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if anyassignment_properties
(dict, optional): Custom properties for the role assignment. Defaults to no properties.
method add_tag
add_tag
Add a new tag to identity.
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method get_identity_to_permissions
get_identity_to_permissions
Get a JSON serializable dictionary of all the identity's permissions and roles.
Formats the identity's permissions and roles for the Custom Application template payload
Returns:
dict
: JSON serializable dictionary of all the identity's permissions and roles
method set_property
set_property
Set a custom defined property to a specific value on an identity.
Property name must be defined for identity type before calling set_property()
. See example below for LocalUser
and ApplicationPropertyDefinitions.define_local_user_property
for more information on defining properties. Property must be defined for the correct Identity
type (LocalUser
or LocalGroup
, IdPIdentity
does not support custom properties).
Args:
property_name
(str): Name of property to set value forproperty_value
(Any): Value for property, type should matchOAAPropertyType
for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.
Raises:
OAATemplateException
: If property withproperty_name
is not defined.
Example:
app = CustomApplication("App", application_type="example")
>>> app.property_definitions.define_local_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = app.add_local_user(name="user1") >>> user1.set_property("my_property", "value for user1")
class LocalUserType
LocalUserType
Enum for
class LocalUser
LocalUser
LocalUser identity, derived from Identity base class.
Used to model an application user. Can be associated with an external IdP user, or represent a local account.
Args:
name
(str): name of identityidentities
(list): list of strings for IdP identity associationgroups
(list[LocalGroup]): list of group names as strings to add user toounique_id
(string, optional): For reference by ID
Attributes:
name
(str): name of identityid
(str): ID of entity for ID based referenceidentities
(list): list of strings for IdP identity associationgroups
(list[LocalGroup]): list of group names as strings to add user tooidentity_type
(OAAIdentityType): Veza Identity Type (local_user)application_permissions
(list[CustomPermission]): Permissions identity has directly to custom applicationresource_permissions
(dict): Dictionary of custom permissions associated with resources and sub-resources. Key is permission, value is list of resource keysapplication_roles
(list[LocalRole]): Custom application roles assigned directly to the identityresource_roles
(dict): Dictionary of local_roles for resources and sub-resources. Key is roles, value is list of resource keysproperties
(dict): Dictionary of properties for identity, allowed values will vary by identity typetags
(list[Tag]): List of tagsis_active
(bool): Defaults to None for unsetcreated_at
(str): RFC3339 time stamp for user creationlast_login_at
(str): RFC3339 time stamp for last logindeactivated_at
(str): RFC3339 for user deactivate timepassword_last_changed_at
(str): RFC3339 time stamp for last password changeuser_type
(LocalUserType): Set the local user account type
method __init__
__init__
method add_group
add_group
Add user to local group (group must be created separately).
Args:
group
(str): identifier of local group
method add_identities
add_identities
Add multiple identities to a local user from a list.
Args:
identities
(list[str]): list of identities to add to user
method add_identity
add_identity
Add an identity to user.
Identity should match the email address or another principal identifier for an IdP user (Okta, Azure, ect). Veza will create a connection from the application local user to IdP identity.
Args:
identity
(str): email or identifier for IdP user
method add_permission
add_permission
Add a permission to an identity.
Permission can apply to either the application or application resource/sub-resources
Args:
permissions
([str]): List of strings representing the permission namesresource
(CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.apply_to_application
(bool): Apply permission to application when True, defaults to False
method add_role
add_role
Add a role to an identity.
Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.
Role assignment properties can be set with the assignment_properties
dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.
Args:
role
(str): Name of role as stringresources
(List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.apply_to_application
(bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if anyassignment_properties
(dict, optional): Custom properties for the role assignment. Defaults to no properties.
method add_tag
add_tag
Add a new tag to identity.
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method get_identity_to_permissions
get_identity_to_permissions
Get a JSON serializable dictionary of all the identity's permissions and roles.
Formats the identity's permissions and roles for the Custom Application template payload
Returns:
dict
: JSON serializable dictionary of all the identity's permissions and roles
method set_property
set_property
Set a custom defined property to a specific value on an identity.
Property name must be defined for identity type before calling set_property()
. See example below for LocalUser
and ApplicationPropertyDefinitions.define_local_user_property
for more information on defining properties. Property must be defined for the correct Identity
type (LocalUser
or LocalGroup
, IdPIdentity
does not support custom properties).
Args:
property_name
(str): Name of property to set value forproperty_value
(Any): Value for property, type should matchOAAPropertyType
for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.
Raises:
OAATemplateException
: If property withproperty_name
is not defined.
Example:
app = CustomApplication("App", application_type="example")
>>> app.property_definitions.define_local_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = app.add_local_user(name="user1") >>> user1.set_property("my_property", "value for user1")
method to_dict
to_dict
Output user to dictionary for payload.
class LocalGroup
LocalGroup
LocalGroup identity.
Derived from Identity base class. Used to represent groups of local users for application.
Args:
name
(str): name of groupidentities
(list): list of strings for IdP identity associationunique_id
(string, optional): Unique identifier for group
Attributes:
name
(str): name of identityidentities
(list): list of strings for IdP identity associationgroups
(list[LocalGroup]): list of group names as strings that group is member of for nested groupsidentity_type
(OAAIdentityType): Veza Identity Type, local_groupapplication_permissions
(list[CustomPermission]): permissions identity has directly to custom applicationresource_permissions
(dict): Dictionary of custom permissions associated with resources and sub-resources. Key is permission, value is list of resource keysapplication_roles
(list[LocalRole]): list of roles identity has directly to custom applicationresource_roles
(dict): Dictionary of local_roles for resources and sub-resources. Key is roles, value is list of resource keysproperties
(dict): Dictionary of properties for identity, allowed values will vary by identity typetags
(list[Tag]): List of tagscreated_at
(str): RFC3339 time stamp for group creation time
method __init__
__init__
method add_group
add_group
Add a nested group to local group (group must be created separately).
Args:
group
(str): identifier of local group
method add_identity
add_identity
Add an identity to group.
The email address or another valid identifier should match that of an IdP principal (Okta, Azure, ect). Veza will create a connection from the application local group to IdP identity.
Args:
identity
(str): primary IdP identifier for group to associate
method add_permission
add_permission
Add a permission to an identity.
Permission can apply to either the application or application resource/sub-resources
Args:
permissions
([str]): List of strings representing the permission namesresource
(CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.apply_to_application
(bool): Apply permission to application when True, defaults to False
method add_role
add_role
Add a role to an identity.
Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.
Role assignment properties can be set with the assignment_properties
dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.
Args:
role
(str): Name of role as stringresources
(List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.apply_to_application
(bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if anyassignment_properties
(dict, optional): Custom properties for the role assignment. Defaults to no properties.
method add_tag
add_tag
Add a new tag to identity.
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method get_identity_to_permissions
get_identity_to_permissions
Get a JSON serializable dictionary of all the identity's permissions and roles.
Formats the identity's permissions and roles for the Custom Application template payload
Returns:
dict
: JSON serializable dictionary of all the identity's permissions and roles
method set_property
set_property
Set a custom defined property to a specific value on an identity.
Property name must be defined for identity type before calling set_property()
. See example below for LocalUser
and ApplicationPropertyDefinitions.define_local_user_property
for more information on defining properties. Property must be defined for the correct Identity
type (LocalUser
or LocalGroup
, IdPIdentity
does not support custom properties).
Args:
property_name
(str): Name of property to set value forproperty_value
(Any): Value for property, type should matchOAAPropertyType
for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.
Raises:
OAATemplateException
: If property withproperty_name
is not defined.
Example:
app = CustomApplication("App", application_type="example")
>>> app.property_definitions.define_local_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = app.add_local_user(name="user1") >>> user1.set_property("my_property", "value for user1")
method to_dict
to_dict
Output group to dictionary for payload.
class IdPIdentity
IdPIdentity
IdP identity derived from Identity base class.
Used to associate IdP identities (users or groups) directly to resource where concept of local users/groups doesn't apply to application.
Args:
name
(str): Primary IdP identifier for identity (email, group name, etc)
Attributes:
name
(str): name of identityidentity_type
(OAAIdentityType): Veza Identity Type, (idp)application_permissions
(list[CustomPermission]): permissions identity has directly to custom applicationresource_permissions
(dict): Dictionary of custom permissions associated with resources and sub-resources. Key is permission, value is list of resource keysapplication_roles
(list[LocalRole]): roles identity has directly to custom applicationresource_roles
(dict): Dictionary of local_roles for resources and sub-resources. Key is roles, value is list of resource keysproperties
(dict): Dictionary of properties for identity, allowed values will vary by identity typetags
(list[Tag]): List of tags
method __init__
__init__
method add_permission
add_permission
Add a permission to an identity.
Permission can apply to either the application or application resource/sub-resources
Args:
permissions
([str]): List of strings representing the permission namesresource
(CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.apply_to_application
(bool): Apply permission to application when True, defaults to False
method add_role
add_role
Add a role to an identity.
Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.
Role assignment properties can be set with the assignment_properties
dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.
Args:
role
(str): Name of role as stringresources
(List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.apply_to_application
(bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if anyassignment_properties
(dict, optional): Custom properties for the role assignment. Defaults to no properties.
method add_tag
add_tag
Add a new tag to identity.
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method get_identity_to_permissions
get_identity_to_permissions
Get a JSON serializable dictionary of all the identity's permissions and roles.
Formats the identity's permissions and roles for the Custom Application template payload
Returns:
dict
: JSON serializable dictionary of all the identity's permissions and roles
method set_property
set_property
Set custom IdP property (no functionality).
IdP identities do not support custom properties since the identity is discovered through the provider (Okta, Azure, etc)
class LocalRole
LocalRole
Represent a Custom Application Local Role.
Local Roles are a collection of permissions (as CustomPermission
). Roles can be used to associate a local user, group or IdP identity to an application, resource or sub-resource.
Permissions can either be assigned at creation and/or added later.
If the CustomPermission
definition includes resource types in the resource_types
list, the permission will only be assigned to resources/sub-resources that match that type as part of an assignment.
Args:
name
(str): name of local rolepermissions
(list[CustomPermission], optional): List of custom permission names (strings) to associate with the role. Defaults to empty list.unique_id
(string, optional): Unique identifier for role for identification by ID
Attributes:
name
(str): name of local roleunique_id
(str): Unique identifier for role for identification by IDpermissions
(list[CustomPermission]): list of custom permission names (strings) to associate with the roleroles
(list[LocalRole]): list of roles nested inside the roletags
(list[Tag]): list of Tags instances
method __init__
__init__
method add_permissions
add_permissions
Add a permission to the role.
Args:
permissions
(list): List of permission names (strings) to add to role
method add_role
add_role
Add a nested sub-role to the role (nested role must be created separately)
Args:
role
(str): identifier of the local role to nest inside this role
method add_tag
add_tag
Add a new tag to role.
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method set_property
set_property
Set the value for custom property on a local role.
Property name must be defined for local roles before calling set_property()
. See example below and ApplicationPropertyDefinitions.define_local_role_property
for more information on defining properties.
Args:
property_name
(str): Name of property to set value forproperty_value
(Any): Value for property, type should match OAAPropertyType for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.
Raises:
OAATemplateException
: If property name is not defined.
Example: app = CustomApplication("App", application_type="example")
>>> app.property_definitions.define_local_role_property(name="my_property", property_type=OAAPropertyType.STRING) >>> role1 = app.add_local_role(name="role1") >>> role1.set_property(property_name="my_property", property_value="role1s value")
method to_dict
to_dict
Convert role to dictionary for inclusion in JSON payload.
Returns:
dict
: serializable dictionary of role
class CustomPermission
CustomPermission
CustomPermission class for defining CustomApplication
permissions.
Custom permissions represent the named permissions for the application in its terms (e.g. "Admin" or "PUSH") and define the Veza canonical mapping (e.g. DataRead, MetadataRead, DataWrite).
A permission can either be applied directly to an application or resource or assigned as part of a role.
Optionally, when permissions are used as part of a role, if the
resource_types
list is populated the permission will only be applied to resources who's type is in theresource_types
list when the role is applied to a resource.
Args:
name
(str): Display name for permissionpermissions
(list): List of OAAPermission enums that represent the canonical permissionsapply_to_sub_resources
(bool, optional): If true, when permission is applied to the application or resource, identity also has permission to all children of application/resource. Defaults toFalse
.resource_types
(list, optional): List of resource types as strings that the permission relates to. Defaults to empty list.
Attributes:
name
(str): Display name for permissionpermissions
(list[OAAPermission]): List of OAAPermission enums that represent the canonical permissionsapply_to_sub_resources
(bool): If true, when permission is applied to the application or resource, identity also has permission to all children of application/resource.resource_types
(list): List of resource types as strings that the permission relates to.
method __init__
__init__
method add_resource_type
add_resource_type
Add a resource type to the resource_types list.
Extends the list of resource types permission applies to when used in role assignment.
Args:
resource_type
(str): The resource type string value
method to_dict
to_dict
Returns dictionary representation for payload.
class OAAPropertyType
OAAPropertyType
Supported types for custom properties on OAA entities such as application, resource, and identity.
class ApplicationPropertyDefinitions
ApplicationPropertyDefinitions
Model for defining custom properties for application and its entities (users, groups, roles, resources).
Property definitions define the names for additional entity properties and the expected type.
Args:
application_type
(str): type of custom application property definitions apply to
Attributes:
application_properties
(dict): property definitions for applicationlocal_user_properties
(dict): property definitions for local userslocal_group_properties
(dict): property definitions for local groupslocal_role_properties
(dict): property definitions for local rolesresources
(dict): property definitions for resources keyed by resource type
method __init__
__init__
method define_application_property
define_application_property
Define an application property.
Args:
name
(str): name for propertyproperty_type
(OAAPropertyType): type for property
method define_local_group_property
define_local_group_property
Define a local group property.
Args:
name
(str): name for propertyproperty_type
(OAAPropertyType): type for property
method define_local_role_property
define_local_role_property
Define a local role property.
Args:
name
(str): name for propertyproperty_type
(OAAPropertyType): type for property
method define_local_user_property
define_local_user_property
Define a local user property.
Args:
name
(str): name for propertyproperty_type
(OAAPropertyType): type for property
method define_resource_property
define_resource_property
Define a property for a resource by type of resource.
Args:
resource_type
(str): type of resource property definition is forname
(str): property nameproperty_type
(OAAPropertyType): type for property
method define_role_assignment_property
define_role_assignment_property
method to_dict
to_dict
Return property definitions as dictionary ready for OAA payload
method validate_name
validate_name
Check property name for valid characters
Raises an exception if the name string does not match required pattern. Name must start with a character and can only contain letters and _ character.
Args:
name
(str): name of property to validate
Raises:
OAATemplateException
: Name is not a stringOAATemplateException
: Name contains invalid characters or does not start with a letter
method validate_property_name
validate_property_name
Validate that a property name has been defined for given resource type.
Args:
property_name
(str): name of property to validateentity_type
(str): type of entity custom property is for (application, local_user, local_group, local_role, resource)resource_type
(str): (optional) type for validating resource property names, only applicable to entity_type resource
Raises:
OAATemplateException
: If property name has not been previously defined for entity
class IdPEntityType
IdPEntityType
IdP entity types.
class IdPProviderType
IdPProviderType
Veza supported IdP provider types.
class CustomIdPProvider
CustomIdPProvider
CustomIdPProvider class for modeling Identity Providers (IdP) using OAA Custom Identity Provider Template.
CustomIdPProvider class consists of IdP domain information, user, group and external associations for identities like AWS Roles.
Classes uses dictionaries to track most components, dictionaries are all keyed by string of the entity name
Args:
name
(str): Name of IdPidp_type
(str): Type descriptor for IdP, can be unique or share across multiple IdP e.g. ldap, IPAdomain
(str): IdP domain namedescription
(str, optional): Description for IdP. Defaults to None.
Attributes:
name
(str): Name of custom IdPidp_type
(str): Type for IdPdescription
(str): Description for IdPdomain
(CustomIdPDomain): Domain model, created with domain name at initusers
(dict[CustomIdPUser]): Dictionary of CustomIdPUser class instancesgroups
(dict[CustomIdPGroup]): Dictionary of CustomIdPGroup class instancesproperty_definitions
(IdPPropertyDefinitions): Custom Property definitions for IdP instance
method __init__
__init__
method add_group
add_group
Add group to IdP.
Arguments:
name
(str): primary ID for groupfull_name
(str): optional display name for groupidentity
(str): optional unique identifier for group, if None name is used as identity
method add_user
add_user
Add user to IdP
if no identity is set name will be used as identity
Arguments:
name
(str): primary ID for userfull_name
(str): optional full name for displayemail
(str): optional email for useridentity
(str): optional unique identifier for user, if None name is used as identity
Returns: CustomIdPUser
method get_payload
get_payload
Return formatted payload as dictionary for JSON conversion and upload
class CustomIdPDomain
CustomIdPDomain
Domain model for Custom IdP provider.
Args:
name
(str): domain name
Attributes:
name
(str): domain name
method __init__
__init__
method add_tag
add_tag
Add a new tag to IdP Domain.
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method set_property
set_property
Set custom property value for domain.
Property name must be defined for domain before calling set_property()
. See example below and IdPPropertyDefinitions.define_domain_property
for more information.
Args:
property_name
(str): Name of propertyproperty_value
(Any): Value for property, type should match OAAPropertyType for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.
Raises:
OAATemplateException
: If property withproperty_name
is not defined.
Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com")
>>> idp.property_definitions.define_domain_property(name="my_property", property_type=OAAPropertyType.STRING) >>> idp.domain.set_property(property_name="my_property", property_value="domain property value")
method to_dict
to_dict
Output function for payload.
class CustomIdPUser
CustomIdPUser
User model for CustomIdPProvider.
Args:
name
(str): username for identityemail
(str): primary email for userfull_name
(str): Display name for useridentity
(str): unique identifier for user (may be same as username or email, or another unique ID like employee number)
Attributes:
name
(str): username for identityemail
(str): primary email for userfull_name
(str): display name for useridentity
(str): unique identifier for user (may be same as username or email, or another unique ID like employee number)department
(str): department name for useris_active
(bool): if user is active, defaults to Noneis_guest
(bool): if user is a guest type user, defaults to Nonemanager_id
(str, optional): CustomIdPUser.identity of manager, defaults to None
method __init__
__init__
method add_assumed_role_arns
add_assumed_role_arns
Add AWS Roles to list of roles user can assume by ARN.
Args:
arns
(list): list of role ARNs as strings that the user is allowed to assume
method add_groups
add_groups
Add user to group(s) by group name
Args:
group_identities
(list): list of strings for group identities to add user to
method add_tag
add_tag
Add a new tag to IdP User.
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method set_property
set_property
Set custom property value for user.
Property name must be defined for users before calling set_property()
. See example below and IdPPropertyDefinitions.define_user_property
for more information.
Args:
property_name
(str): Name of propertyproperty_value
(Any): Value for property, type should match OAAPropertyType for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.
Raises:
OAATemplateException
: If property withproperty_name
is not defined.
Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com")
>>> idp.property_definitions.define_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = idp.add_user(name="User 1") >>> user1.set_property("my_property", "user1 value")
method set_source_identity
set_source_identity
Set an source external identity for user.
source_identity
will connect CustomIdP user to a Veza graph IdP user.provider_type
limits scope for finding matching IdP identitiessearch all providers with
IdPProviderType.ANY
.
Args:
identity
(str): Unique Identity of the source identityprovider_type
(IdPProviderType): Type for provider to match source identity from
method to_dict
to_dict
Function to prepare user entity for payload
class CustomIdPGroup
CustomIdPGroup
Group model for CustomIdPProvider.
Args:
name
(str): name of groupfull_name
(str): optional full name for groupidentity
(str): optional identifier for group if name is not reference identifier
Parameters:
name
(str): name of groupfull_name
(str): optional full name for groupidentity
(str): optional identifier for group, if None name is used as identityis_security_group
(bool): Property for group, defaults to None (unset)
method __init__
__init__
method add_assumed_role_arns
add_assumed_role_arns
Add AWS Roles to list of roles group members can assume by ARN.
Args:
arns
(list): list of role ARNs as strings that the group members are allowed to assume
method add_groups
add_groups
Add group to group(s) by group name
Adds current group to another parent group by the group identifier
Args:
group_identities
(list): list of strings for group identities to add group to
method add_tag
add_tag
Add a new tag to IdP Group.
Args:
key
(str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for Tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".
method set_property
set_property
Set custom property value for group.
Property name must be defined for groups before calling set_property()
. See example below and IdPPropertyDefinitions.define_group_property
for more information.
Args:
property_name
(str): Name of propertyproperty_value
(Any): Value for property, type should match OAAPropertyType for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.
Raises:
OAATemplateException
: If property withproperty_name
is not defined.
Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com")
>>> idp.property_definitions.define_group_property(name="my_property", property_type=OAAPropertyType.STRING) >>> group1 = idp.add_group(name="Group 1") >>> group1.set_property("my_property", "group1 value")
method to_dict
to_dict
Function to prepare user entity for payload.
class IdPPropertyDefinitions
IdPPropertyDefinitions
Model for defining custom properties for CustomIdPProvider and its entities (users, groups, domain).
Property definitions define the names for additional entity properties and the expected type.
Attributes:
domain_properties
(dict): property definitions for IdP Domainuser_properties
(dict): property definitions for IdP usersgroup_properties
(dict): property definitions for IdP groups
method __init__
__init__
method define_domain_property
define_domain_property
Define a domain custom property.
Args:
name
(str): name of propertyproperty_type
(OAAPropertyType): type for property
method define_group_property
define_group_property
Define a group custom property.
Args:
name
(str): name of propertyproperty_type
(OAAPropertyType): type for property
method define_user_property
define_user_property
Define a user custom property.
Args:
name
(str): name of propertyproperty_type
(OAAPropertyType): type for property
method to_dict
to_dict
Returns custom IdP property definitions.
method validate_property_name
validate_property_name
Validate that a property name has been defined for a given IdP entity.
Raises exception if property name has not been previously defined for entity
Args:
property_name
(str): name of property to validateentity_type
(str): type of entity custom property is for (domain, users, groups)
Raises:
OAATemplateException
: If property name is not defined
class Tag
Tag
Veza Tag data model.
Args:
key
(str): key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str, optional): Value for tag, will appear in Veza askey:value
. Must be letters, numbers, whitespace and the special characters @,._- only.
Attributes:
key
(str): key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.value
(str): Value for tag, will appear in Veza askey:value
. Must be letters, numbers and the special characters @,._ only.
method __init__
__init__
class HRISProvider
HRISProvider
Class for modeling Human Resource Information Systems (HRIS) Template
HRIS template consists of base information about the HRIS instance, Employees and Groups.
Employees and Groups are tracked in case insensitive dictionaries that can be used to reference entities after creation.
Args:
name
(str): Name for HRIS Instancehris_type
(str): Type for HRIS. Typically the vendor or product name.url
(str): Instance URL for HRIS.
Attributes:
employees
(dict[string]): Dictionary of HRISEmployee instances keyed by Employee IDgroups
(dict[string]): Dictionary of HRISGroup instances keyed by Group ID
method __init__
__init__
method add_employee
add_employee
Add a new Employee
Function creates a new HRISEmployee instance and adds it to the HRISProvider.employees
keyed by the unique_id
Args:
unique_id
(str): Unique Identifier for Employeename
(str): Display name for employeeemployee_number
(str): The employee's number that appears in the third-party integration.first_name
(str): Employee first namelast_name
(str): Employee last name (family name)is_active
(bool): Boolean for employee active statusemployment_status
(str): String representation of employee status, e.g. "ACTIVE", "TERMINATE", "PENDING"
Raises:
OAATemplateException
: Employee with ID already exists
Returns:
HRISEmployee
: Entity for new employee
method add_group
add_group
Add a new Group
Used to represent any subset of employees, such as PayGroup or Team. Employees can be in multiple Groups. Groups can also be members of other groups to create hierarchy.
Some properties of HRISEmployee such as department
must reference an existing HRISGroup by its ID.
Args:
unique_id
(str): Unique ID for groupname
(str): Display namegroup_type
(str): Type for group such as "Team", "Department", "Cost Center"
Returns:
HRISGroup
: Entity for new group
method get_payload
get_payload
Get the OAA payload.
Returns the complete OAA template payload for HRIS as serializable dictionary
Returns:
dict
: OAA payload as dictionary
class HRISSystem
HRISSystem
HRISSystem information
Representation for HRISSystem information. The system information is used to represent additional details for the HRIS Instance.
Args:
name
(str): Name for system Instanceurl
(str, optional): URL for instance . Defaults to "". TODO: Is this right?
method __init__
__init__
method add_idp_type
add_idp_type
Link HRIS to External IdP of given type
Sets the IdP types (Okta, AzureAD, ect) for Veza to link employee identities too.
Args:
provider_type
(IdPProviderType): Type of IdP for source identities
Raises:
ValueError
: provider_type must be IdPProviderType enum
Returns:
list[IdPProviderType]
: List of configured IdP types
method to_dict
to_dict
class HRISEmployee
HRISEmployee
HRIS Employee Entity
Represents an employee record in the HRIS system. Each employee must have a unique ID to identify it in the payload. This ID is also used to reference one employee to the other for manager hierarchy.
Init variables are all required and must not be empty such as ""
Args:
unique_id
(str): Unique Identifier for Employeename
(str): Name for employee record.employee_number
(str): The employee's number that appears in the third-party integration.first_name
(str): Employee first namelast_name
(str): Employee last name (family name)is_active
(bool): Boolean for employee active statusemployment_status
(str): String representation of employee status, e.g. "ACTIVE", "TERMINATE", "PENDING"
Parameters:
company
(str): The company (or subsidiary) the employee works for.preferred_name
(str): The employee's preferred first name.display_full_name
(str): The employee's full name, to use for display purposes.canonical_name
(str): The employee's canonical name.username
(str): The employee's username that appears in the integration UI.email
(str): The employee's work email.idpid
(str): The ID for this employee on the destination IDP provider used to automatically connect to it, if not supplied email is used.personal_email
(str): The employee's personal email.home_location
(str): The employee's home location.work_location
(str): The employee's work location.cost_center
(str): The cost center ID (Group ID) that the employee is in.department
(str): The department ID (Group ID) that the employee is in.managers
(str): The employee IDs of the employee's managers.groups
(str): The IDs of groups this user is instart_date
(str): The date that the employee started working. RFC3339 timestamp.termination_date
(str): The employee's termination date. RFC3339 timestamp.job_title
(str): The title of the employee.employment_typ
(str): The employee's type of employment. For example: FULL_TIME, PART_TIME, INTERN, CONTRACTOR, FREELANCE.primary_time_zone
(str): The time zone which the employee primarily lives.
Raises:
ValueError
: Any of the required arguments are empty.
method __init__
__init__
method add_group
add_group
Add employee to group
Adds employee to a group by the group ID. Group must also be defined for HRISInstance with HRISProvider.add_group()
Args:
group_id
(str): Unique ID of HRISGroup to add employee too
method add_manager
add_manager
Add manager to Employee
Adds a manager to the employee by the manager's HRISEmployee instance unique ID. Manger employee record must also exist.
Args:
manager_id
(str): Unique ID for manager HRISEmployee instance
method set_property
set_property
Set Employee custom property value
Property name must be defined for employee before calling set_property
Args:
property_name
(str): Name of propertyproperty_value
(any): Value for property, type should match OAAPropertyType for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.. Defaults to False.
Raises:
OAATemplateException
: If property withproperty_name
is not defined.
method to_dict
to_dict
Output employee to dictionary for payload.
class HRISGroup
HRISGroup
HRIS Group
Represents any group of employees in the HRIS system. HRISGroups can be used to represent teams, departments, cost centers or any organizational unit. Each group has a type to make searching and grouping easier.
Group's Unique ID must be unique across all group types.
Args:
unique_id
(str): Unique ID for groupname
(str): Display namegroup_type
(str): Type for group such as "Team", "Department", "Cost Center"
method __init__
__init__
method set_property
set_property
Set HRIS Group custom property value
Property name must be defined for group before calling set_property
Args:
property_name
(str): Name of propertyproperty_value
(any): Value for property, type should match OAAPropertyType for property definitionignore_none
(bool, optional): Do not set property if value is None. Defaults to False.. Defaults to False.
Raises:
OAATemplateException
: If property withproperty_name
is not defined.
method to_dict
to_dict
Dictionary output for inclusion in payload
class HRISPropertyDefinitions
HRISPropertyDefinitions
method __init__
__init__
method define_employee_property
define_employee_property
method define_group_property
define_group_property
method define_system_property
define_system_property
method to_dict
to_dict
method validate_name
validate_name
Check property name for valid characters
Raises an exception if the name string does not match required pattern. Name must start with a character and can only contain letters and _ character.
Args:
name
(str): name of property to validate
Raises:
OAATemplateException
: Name is not a stringOAATemplateException
: Name contains invalid characters or does not start with a letter
Last updated